Initially, the media offered a soberreview of the rather lengthy findings and recommendations in the report.

But soon afterwards, journalists and bloggers started observing that the report includes highly aggressive and potentially controversial measures, such as recommending the use of ransomware to attack suspected copyright abusers, as well as retaliatory hacking attacks to retrieve stolen data.

Sorry? This sounds crazy. Can this report seriously be recommending that businesses and governments use malware and hacking to fight back against corporate snooping and copyright dodgers?

The bulk of the report is pretty sensible. It’s only at page 80 that we hit the interesting part, in a chapter entitled “Cyber Solutions”.

Alongside reasonable ideas like improving vulnerability protection and intrusion detection systems, or using digital ‘watermarks’ to tie documents to their rightful owners, there are several sections discussing ‘threat-based deterrence’, which include this:

Recommendation:
Support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means.

Yes, you read that right. It continues:

...software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account.

That’s pretty clear then – they’ve heard of the ransomware approach, and they think it’s a great idea. Further down there are some more off-the-wall moments, discussing ideas like hacking into an intruder’s network to retrieve or destroy stolen data, taking photos of suspects using their webcams, “or even physically disabling or destroying the hacker’s own computer or network.”

Now the authors don’t directly back these wackier ideas, at least not as directly as they support the use of ransomware. Instead they use some complex shilly-shallying and weasel words – they try to make it look like they’re just mentioning them as concepts, without actually recommending them. But later on, they clearly suggest that changes in the law to allow such things are a good idea:

Shortly afterwards they backtrack again, saying they’re “not ready to endorse this recommendation” – so why mention it at all? Simply by including it, they give the concept of cyber-vigilantism legitimacy.

Imagine a high-profile report on real-world theft that urged people to break into the homes of suspected thieves, steal their stuff back and maybe smash up a few other bits and bobs on the way out. How have such crazy ideas made their way into a major study?

The commission, proper title The Commission on the Theft of American Intellectual Property, calls itself an “independent and bipartisan initiative of leading Americans”. It is a group of heavyweight figures including a former CEO at Intel, a university president and a former Ambassador to China.

The report is a serious and scholarly study for the most part, with plenty of interesting data and some sensible ideas and suggestions. It claims to have consulted several “remarkable specialists” along the way, but from the instant outcry, it’s clear that there are plenty of people who could have steered it away from its blunderings over cyber security measures. Were any actual security or anti-malware experts asked for input?

The outrage sparked by some of the suggestions in this report has completely overshadowed the rest of its hard work.

In short, the moments of lunacy popping up in the last few pages are tainting the entire study.

Maybe the general ridicule being plastered on this report might just open the eyes of the political classes to the need for proper, considered engagement with cyber security issues; these knee-jerk ‘just hack ’em back’ attitudes are simply embarrassing.

Post navigation

About the author

John Hawes is Chief of Operations at <a href="http://www.virusbtn.com">Virus Bulletin</a>, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (<a href="http://www.amtso.org">AMTSO</a>) in 2011.

10 comments on “Sorry? Is a US report recommending ransomware to target copyright thieves?”

While the copyright maximalists have no qualms about referring to copyright infringement as theft, I am sure it is not lost on the author that copyright infringement never was theft and, unless they change the legal definition, never will be in any way, shape or form.
Please don't call it theft – at best it's intellectual laziness, and at worst dishonesty :)

Whereas your statement is just as misguided. People have demonstrated loss of income because of people misappropriating copyrighted work… We are not talking about the record labels or publishers. We are talking about the individual artists scraping by on individual commissions. Why should a client pay for something when a another person has taken the work and reposted it for free?

The Feds have always had the ability to perform legalized breaking and entering of anyone's physical property just by getting a warrant. That's considered "due process" It's not immune to abuse, and there are plenty of cases wherein it has been a vehicle for legalized thuggery.

The powers that be are presumed by the masses to be innocent of abuse of power until proven guilty, but even when guilt is proven, the vast majority of people who aren't victims of such practices shrug it off as "the price of law and order".

With the advent of state-sponsored ransomware, it now appears that the Feds are willing to drop the pretense of "due process" and make the interference with property automatic. Like so much of the rest of the cancerous growth of state meddling, this is yet another attempt to establish "guilty until proven innocent" as the norm.

The founders of the U.S., especially those who subscribed to the Declaration of Independence, must be spinning in their graves.

What's this? First, the Stop Online Piracy Act tries to strip people of our free internet, and now the US government wants to strip people of the freedom of the use of a computer for pirating? Besides, this won't stop copyright infringement. A hacker could figure out how to use a Linux Live CD and remove the "Ransomware". Besides, how could lay-persons figure out if Ransomware is the real deal from law enforcement OR an attack from a cyber-criminal? I'll tell you how: They can't, and they could dish out money to cyber-criminals without knowing their otherwise infected! I'm sorry, but when I thought a proposed way to "stop" piracy couldn't get worse than SOPA, I was dead wrong!!!

John Hawes wrote: "Imagine a high-profile report on real-world theft that urged people to break into the homes of suspected thieves, steal their stuff back and maybe smash up a few other bits and bobs on the way out. How have such crazy ideas made their way into a major study?"